Use .htaccess and PHP session together - is it possible?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
ecce
Forum Newbie
Posts: 5
Joined: Tue Apr 25, 2006 4:16 am

Use .htaccess and PHP session together - is it possible?

Post by ecce »

This may be an apache question more that actual PHP, but anyway:

Is it possible to write a few lines in a .htaccess file that only allows the contents of that folder to be viewed by those who have $_SESSION['username'] set? I need to protect the contents of a folder for those who are not yet logged onto the site.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: Use .htaccess and PHP session together - is it possible?

Post by Chris Corbyn »

ecce wrote:This may be an apache question more that actual PHP, but anyway:

Is it possible to write a few lines in a .htaccess file that only allows the contents of that folder to be viewed by those who have $_SESSION['username'] set? I need to protect the contents of a folder for those who are not yet logged onto the site.
Why not just do this at the top of each file?

Code: Select all

<?php

session_start();
if (!isset($_SESSION['username'])) header("Status: 404 Not Found");

?>
You could auto_prepend that using .htaccess I think too.
ecce
Forum Newbie
Posts: 5
Joined: Tue Apr 25, 2006 4:16 am

Post by ecce »

I store Cisco proprietary materials on the server, and modifying the .html files is a bad idea. Unauthorized people should not be able to access the material by entering a direct URL.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

ecce wrote:I store Cisco proprietary materials on the server, and modifying the .html files is a bad idea. Unauthorized people should not be able to access the material by entering a direct URL.
With the correct headers being sent back to the browser the client will see the same as if the user entered in invalid URL. If all the file are .html then set the web server to parse .html with the PHP interpreter and use auto_prepend_file to include a bit of code that does a check then sends headers end exits if there's a problem (I think that's what the ini setting is).
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

worth noting you might want to a call exit() directly after the header() call to avoid other code from possibly being run.
ecce
Forum Newbie
Posts: 5
Joined: Tue Apr 25, 2006 4:16 am

Post by ecce »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


I think the suggested solution from d11wtq was a great idea, and I've tried to implement it. I ran into trouble, so please help me though this if you can. These are the .htaccess file and php code:

.htaccess
[syntax="apache"]
AddType application/x-httpd-php .html
AddType application/x-httpd-php .htm

php_value auto_prepend_file /var/www/html/curriculum/secure.php

secure.php[/syntax]

Code: Select all

<?php
session_start();
if(empty($_SESSION['username']))
{
	echo "You must be logged in to view the Cisco curriculum.<br />";
	echo print_r($_SESSION); //debug
	exit();
}
?>
It sure runs the php script, but the $_SESSION array is totally empty, although I am logged in. The link is opened in a new window, but that usually doesn't bother sessions as long as it is the same browser, right? If I remove all of the URL exept the server name and hit enter (so I get to the start page) it says I'm logged in.


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Post Reply